Trust & Security
Transparent methodology, threat-informed design, and security-by-design principles for ransomware readiness assessments you can trust.
Transparent Methodology
Clear, explainable evaluation framework focused on ransomware impact and recovery blockers.
Data Control
Your data stays under your control. Minimal collection, no resale, logical separation.
Security-by-Design
Security built in from the ground up with least privilege, isolation, and secure defaults.
Data handling & privacy
Your data stays under your control
CyberCaution™ is designed with privacy and data control as foundational principles. Your assessment data is used solely to generate the assessment outputs you need.
Minimal data collection
Only the data necessary for assessment is collected. No unnecessary payloads or extraneous information is gathered.
No resale or monetization
Customer data is never resold or monetized. Your information is used exclusively to generate your assessment outputs.
Separation of customer environments
Customer environments are logically separated to ensure data isolation and prevent cross-contamination between assessments.
Data used only for assessment outputs
All collected data is used exclusively to generate the assessment outputs you need. No secondary uses or hidden processing occurs.
Delivery and deployment options
You choose where your data resides. Available options (as set out in our Privacy Policy and Terms of Service):
- Local-Only Mode: All data stored exclusively in your browser (IndexedDB, localStorage) or desktop app.
- Self-Managed Cloud: Deploy to your own cloud infrastructure with full control (AWS, Azure, GCP).
- ERMITS-Managed Cloud: Optional encrypted cloud synchronization with zero-knowledge architecture.
- Hybrid Deployment: Local processing with selective encrypted cloud backup.
- On-Premises: Enterprise customers can deploy on their own infrastructure.
For cloud-managed options, data residency is determined by your selected deployment region and applicable compliance requirements.
How we offer the platform
Assessment Hub, Defense Workflow, and Toolkit are offered only under privacy-preserving conditions so that our promise—your data stays under your control—is kept by design:
- Local-first by default: Assessment and workflow data stay on your device or in your environment unless you explicitly opt in to sync or cloud.
- Same-origin or client-hosted: When the toolkit and hub are used together with shared data, they are designed to run on a single origin (e.g. your domain or our single-domain deployment) so data does not need to cross origins to our servers.
- Optional cloud/sync only when you choose: Any sync to a backend or cloud is opt-in. If you use your own backend (self-managed or on-premises), your data never passes through our systems.
We do not use our servers to access your assessment or workflow data by default. Features are delivered under these conditions to align with our privacy-first commitment.
For detailed information about data handling and privacy practices, please review:
Security-by-design practices
Security is built in, not bolted on
CyberCaution™ follows security-by-design principles, ensuring that security considerations are integrated into the platform's architecture from the ground up.
Least privilege
Access controls follow the principle of least privilege, ensuring users and systems only have the minimum permissions necessary to perform their functions.
Isolation between tenants
Logical and physical isolation between customer environments prevents data leakage and ensures assessment integrity.
Secure defaults
The platform is configured with secure defaults, reducing the risk of misconfiguration and ensuring a strong security posture out of the box.
Controlled access paths
All access paths are controlled and monitored, with authentication and authorization mechanisms in place to protect sensitive operations.
Auditability of outputs
Assessment outputs are designed to be auditable, with clear traceability between inputs, evaluation logic, and final recommendations. This enables security leaders to defend their risk decisions with confidence.
Framework alignment & established guidance
Framework alignment & established guidance
CyberCaution™'s methodology is informed by and consistent with established cybersecurity frameworks and industry best practices, with a focus on ransomware-specific risk evaluation. Our outputs support cyber risk readiness and ransomware preparedness and can be used to inform governance, risk, and compliance (GRC) efforts—as summarized in the mappings below.
CyberCaution™ does not claim certification, control ownership, or compliance on behalf of customers.
NIST Cybersecurity Framework (CSF v2 concepts)
| CSF function | CyberCaution™ contribution |
|---|---|
| Identify | Exposure visibility, dependency awareness, and risk categorization inputs |
| Prepare | Readiness assessment, preparedness indicators, and gap signals |
| Detect | Early risk and exposure signals (readiness-focused) |
| Respond | Response preparedness inputs and prioritization support |
| Recover | Informational input only |
ISO/IEC 27001 & ISO/IEC 27005
| Risk management activity | CyberCaution™ role |
|---|---|
| Risk identification | Identification of exposure conditions and ransomware-relevant dependencies |
| Risk analysis | Readiness scoring and impact-oriented indicators |
| Risk evaluation | Decision-support outputs for prioritization |
| Risk treatment | Informational input only |
| Monitoring & review | Continuous readiness visibility |
Ransomware readiness (NIST IR 8374 · CISA guidance)
| Readiness area | Coverage |
|---|---|
| Exposure awareness | ✔ Supported |
| Preparedness gap identification | ✔ Supported |
| Response planning inputs | ✔ Supported |
| Incident response execution | ✖ Not provided |
| Recovery operations | ✖ Not provided |
Explicit exclusions are intentional and reflect product scope.
Outputs & evidence you can defend
Trust is earned through outputs you can defend
CyberCaution™ generates assessment outputs designed to support defensible risk decisions. These deliverables enable security leaders, executives, boards, and insurers to understand ransomware readiness with clarity and confidence.
Executive summaries
Clear, concise summaries that communicate ransomware readiness status to executive leadership and boards, enabling informed risk decisions.
Prioritized remediation roadmaps
Actionable roadmaps that prioritize remediation efforts based on risk reduction logic, helping security teams focus on what matters most.
Exposure signals
Clear identification of conditions that signal ransomware exposure, enabling security teams to understand where failures would amplify impact.
Exportable formats
Assessment outputs are available in exportable formats, enabling integration with existing risk management and reporting workflows.
These outputs are designed to support CISOs, boards, and insurers in making defensible risk decisions about ransomware readiness, with clear traceability from assessment inputs to final recommendations.
Make ransomware readiness decisions you can explain
Before you're forced to make them under pressure.
Start Risk Readiness Assessment